I am trying to configure OWA with patch for KB 920209 to enable Smart Card
login to OWA.

Part of the KB is creating a KDC Service Account, which appears to require
using "setspn".  The examples leave LOTS to be desired.

Do I run setspn on the OWA server or domain controller?
One of the command line options is the "computername".  Is this the OWA
server or Domain Contoller name?

Any help?
Tony Holm

[ Post a follow-up to this message ]

"Tony Holm" <Tony Holm@discussions.microsoft.com> wrote in message
news:055A66D8-2194-4DA3-8015-422731FFDC71@microsoft.com...
>I am trying to configure OWA with patch for KB 920209 to enable Smart Card
> login to OWA.
>
> Part of the KB is creating a KDC Service Account, which appears to require
> using "setspn".  The examples leave LOTS to be desired.
>
> Do I run setspn on the OWA server or domain controller?
> One of the command line options is the "computername".  Is this the OWA
> server or Domain Contoller name?


SetSPN can be run on any computer. SetSPN makes changes to AD attributes for
the specified computername (i.e. you run it anywhere, it connects to a DC,
and makes the changes specified)

When you use SetSPN, you specify the Service Principal Name you wish to
register (whether that be under a computer account or user account).

The following may help shed some light:

IIS and Kerberos Part 1 - What is Kerberos and how does it work?
http://www.adopenstatic.com/cs/blog.../10/19/512.aspx

IIS and Kerberos Part 2 - What are Service Principal Names?
http://www.adopenstatic.com/cs/blog.../11/19/606.aspx

IIS and Kerberos. Part 3 - A simple scenario
http://www.adopenstatic.com/cs/blog...01/16/1054.aspx

IIS and Kerberos Part 4 - A simple delegation scenario
http://www.adopenstatic.com/cs/blog...01/27/1282.aspx


Cheers
Ken

--
My IIS Blog: www.adOpenStatic.com/cs/blogs/ken

[ Post a follow-up to this message ]

"Ken Schaefer" wrote:

> "Tony Holm" <Tony Holm@discussions.microsoft.com> wrote in message
> news:055A66D8-2194-4DA3-8015-422731FFDC71@microsoft.com... 
>
>
> SetSPN can be run on any computer. SetSPN makes changes to AD attributes f
or
> the specified computername (i.e. you run it anywhere, it connects to a DC,
> and makes the changes specified)
>
> When you use SetSPN, you specify the Service Principal Name you wish to
> register (whether that be under a computer account or user account).
>
> The following may help shed some light:
>
> IIS and Kerberos Part 1 - What is Kerberos and how does it work?
> http://www.adopenstatic.com/cs/blog.../10/19/512.aspx
>
> IIS and Kerberos Part 2 - What are Service Principal Names?
> http://www.adopenstatic.com/cs/blog.../11/19/606.aspx
>
> IIS and Kerberos. Part 3 - A simple scenario
> http://www.adopenstatic.com/cs/blog...01/16/1054.aspx
>
> IIS and Kerberos Part 4 - A simple delegation scenario
> http://www.adopenstatic.com/cs/blog...01/27/1282.aspx
>
>
> Cheers
> Ken
>
> --
> My IIS Blog: www.adOpenStatic.com/cs/blogs/ken

Ken,
While your articles are very informative and written in low enough english
for me to understand, I still can't get it to work.

Situation:
Domain is MYCOMPANY.COM (MYCOMPANY)
Exchange server is CMAIL
Exchange front-end server is FMAIL
KDC service account is C.KDC

Completed steps in MS KB 920209
- Created user account C.KDC
- In GPO set account for "Enable computers and user accounts to be trusted
for delegation"
- Set Exchange/IIS settings for Integrated Authentication
- Added site to "Intranet Zone" and turned on Integrated Authentication in I
E

I tried the following SETSPN lines:

SETSPN -A HTTP/FMAIL MYCOMPANY\C.KDC
SETSPN -A HTTP/WEBMAIL.MYCOMPANY.COM MYCOMPANY\C.KDC

Nothing works yet.  FMAIL keeps prompting me for username and password.
When I type them in it still doesn't work.  After 3 tries it says "Error:
Access is Denied"

Tony

[ Post a follow-up to this message ]

Hi,

I'm not sure what you mean by "KDC service account" - the KDC runs inside
LSASS on your domain controllers. It is always run as LocalSystem.

Are you talking about the web application pool user identity on your FMAIL
server?

Cheers
Ken


"Tony Holm" <TonyHolm@discussions.microsoft.com> wrote in message
news:37000925-9C66-43D0-B88D-28C8FEEC5EA2@microsoft.com...
>
>
> "Ken Schaefer" wrote:
> 
>
> Ken,
> While your articles are very informative and written in low enough english
> for me to understand, I still can't get it to work.
>
> Situation:
> Domain is MYCOMPANY.COM (MYCOMPANY)
> Exchange server is CMAIL
> Exchange front-end server is FMAIL
> KDC service account is C.KDC
>
> Completed steps in MS KB 920209
> - Created user account C.KDC
> - In GPO set account for "Enable computers and user accounts to be trusted
> for delegation"
> - Set Exchange/IIS settings for Integrated Authentication
> - Added site to "Intranet Zone" and turned on Integrated Authentication in
> IE
>
> I tried the following SETSPN lines:
>
> SETSPN -A HTTP/FMAIL MYCOMPANY\C.KDC
> SETSPN -A HTTP/WEBMAIL.MYCOMPANY.COM MYCOMPANY\C.KDC
>
> Nothing works yet.  FMAIL keeps prompting me for username and password.
> When I type them in it still doesn't work.  After 3 tries it says "Error:
> Access is Denied"
>
> Tony

[ Post a follow-up to this message ]